1.

(a) Solution:
• Compromised CIA properties: Confidentiality. Pep’s location data, which should remain
private, is available to rival clubs or other parties without his knowledge or consent.
• Possible attack method: Spyware or tracking malware. A malicious app or spyware could
have been installed on Pep’s phone, allowing an unauthorized party to track his location in
real-time without his awareness
(b) Solution:
• Compromised CIA properties: Availability. The legal details of the bidding deal, which should
be consistently and readily accessible for authorized parties, are unresponsive and locked.
• Possible attack method: Ransomware. Malicious software could have been deployed to encrypt
the legal team’s systems, displaying messages demanding payment to unlock the systems and
disrupting the availability of essential services and data.
(c) Solution:
• Compromised CIA properties: Confidentiality and Integrity. The tactical blueprints, team
strategies and match preparation notes should are all private information but are now available
to everyone who can access football forums. Furthermore, the accuracy and trustworthiness
of the data has not been maintained - it has been altered by unauthorized people to include
bizarre formations and strategies.
• Possible attack method: Interface illusions (i.e. Phishing). Attackers could have figured out
Pep’s login credentials by tricking him into communicating with a hacker-owned system. Then,
they could’ve leaked the information from his cloud storage.
2. (a) Detect it. Solution:
• Detection Solution: The company should have implemented intrusion detection systems (IDS)
and anomaly detection mechanisms to identify abnormal traffic disruption patterns indicative
of a DoS attack.
• Explanation: Intrusion detection systems and anomaly detection mechanisms can quickly
identify unusual traffic patterns associated with DoS attacks. Early detection allows the
company to take action promptly, mitigating the impact and minimizing
(b) Deter it. Solution:
• Detection Solution: Load balancers and firewalls, investigate attackers.
• Explanation: Implementing load balancers or firewalls can reduce server load, meaning that
it would take more computing power, higher costs and more effort to perform a DoS attack
on the site. Additionally, performing investigations on the groups that perform attacks on the
site can threaten their confidentiality and dissuading other groups from conducting similar
attacks.
(c) Deflect it.Solution:
• Detection Solution: Utilize a Content Delivery Network (CDN) with DDoS Mitigation Services
(i.e. Load Balancing).
• Explanation: Content delivery networks can help mitigate distributed DoS attacks through
hardware redundancy, load balancing, and isolating target sites from attacks. The team should
deploy distributed load balancing technology to deflect traffic by routing it through multiple
servers or data centers. Its load balancing feature can route user requests to the least-burdened
server so the attacks are distributed and deferred to different servers capable of handling high
traffic spikes or malicious attack attempts.
(d) Prevent it. Solution:
• Detection Solution: The team should configure load balancers and firewalls to distribute load,
block suspicious IP addresses and set rate limits to restrict the number of requests from a
single source.

1
 • Explanation: These measures help block or limit malicious traffic before it overwhelms the
website. Load balancers can reroute traffic equally among several servers while firewalls can
block connections from attacking networks.
(e) Recover from it. Solution:
• Detection Solution: Encryption. The team should mitigate the effects by encrypting Confi-
dential Information and also execute an incident response analysis.
• Explanation: The company should mitigate the effects of the attack by keeping all confiden-
tial information encrypted. For example, using salted password hashes instead of plaintext
passwords for storing user/employee passwords ensures that, even if data is accessed during
an attack, the attackers cannot gather meaningful information. This encryption mitigates
the effects of the DoS attack by protecting sensitive data from being compromised. They
should also conduct an incident response investigation to reduce the chance of a DoS attack
happening again.
3. (a)
(b) Conti
• Type of Malware: Ransomware.
• How It Spreads: Conti typically spreads through phishing emails, trojans, or brute-force
attacks on Remote Desktop Protocol (RDP) services to gain initial access to systems. It then
attempts to gain admin access and propagate to other devices in the network.
• Resulting Effect: Conti encrypts the victim’s files, deletes backups and demands a ransom for
the decryption key, leading to data loss and financial damage if the ransom is not paid. The
program may also install backdoors to prevent victims from recovering their files.
(c) Pegasus
• Type of Malware: Spyware.
• How It Spreads: Pegasus exploits vulnerabilities in mobile operating systems (iOS and An-
droid) through phishing messages, zero- or one-click exploits and more. It spreads through
attacks but does not self-propagate.
• Resulting Effect: Pegasus provides attackers with extensive surveillance capabilities, including
access to audio, messages, photos, camera, microphone, and location data, compromising the
victim’s privacy and security. It communicates with an external server to send this data.
(d) QakBot
• Type of Malware: Trojan.
• How It Spreads: QakBot is a second stage malware that is initially spread through means
like phishing emails containing malicious attachments or links, physical installation or manual
exploits. Once executed, it can propagate across networks autonomously.
• Resulting Effect: Qakbot then steals banking credentials and personal information, facilitates
unauthorized financial transactions, and can download additional malware. This information
is communicated back to the attackers where they exploit the information.
(e) Stuxnet
• Type of Malware: Worm.
• How It Spreads: Stuxnet spreads via removable drives, network shares, and by exploiting
multiple zero-day vulnerabilities. It moves across device networks without user intervention
and is capable of hiding its presence and preventing detection.
• Resulting Effect: Stuxnet was specifically designed to target industrial control systems such as
centrifuges in nuclear facilities, causing physical damage and disrupting critical infrastructure.
4. Programming questions.
(a) sploit1.c:

2
 • Type of Exploit (non-memory): Privilege Escalation via Environment Variable Manipulation
and Password Automation
• Description: This exploit targets an incomplete mediation vulnerability by manipulating the
HOME environment variable to impersonate the root user.
• Explanation: The exploit sets the HOME environment variable to /root using \ putenv(”HOME=/root”).
This makes pwgen believe that the current user is root. It then generates a password for root
and writes it to /etc/shadow. We parse the output file for the password and create a root
shell using the expect script.
(b) sploit2.c:
• Type of Exploit (non-memory): TOCTTOU
• Description: This exploit leverages a TOCTTOU vulnerability by manipulating the /tmp/pwgen random
temporary file between the permission check and its use. By creating a symbolic link to
/etc/shadow, the exploit redirects sensitive data writes to the system’s shadow file, allowing
the attacker to alter root credentials.
• Explanation: The entropy script function uses expect to spawn the pwgen utility with spe-
cific flags (−w − sab − e), which write a new password and gathers entropy. Before pwgen
writes to /tmp/pwge random, the exploit deletes this file and creates a symbolic link point-
ing to /etc/shadow. The exploit sends a crafted string (”root : abiQ6Ep3EY T Hc : 19958 :
0 : 99999 : 7 ::: \\n”) to pwgen via the expect script. When pwgen writes this input to
/tmp/pwgen random, it writes to /etc/shadow due to the symbolic link. The injected string
removes the password for the root user by writing ” :::::::: \nroot :::::::: ”.
(c) sploit3.c:
• Type of Exploit (memory): Buffer Overflow
• Description: This exploit targets a buffer overflow vulnerability by crafting an oversized input
that overwrites the return address on the stack during strncopy.
• Explanation: We first prepare the buffer by allocating f ilename of size 1124 bytes. We
fill the first 512 bytes with NOPs and copy the shellcode into the buffer immediately after
the NOP sled. The provided shellcode executes /bin/sh with elevated privileges. We then
define a return address to point back into the buffer where the shellcode resides. The address
0x7f f f f f f f d782 + 256 is an attempt to predict the memory location of the buffer on the
stack. We construct the argument for the pwgen command by prepending the -e option to
the crafted buffer containing the NOP sled and shellcode.